Post-release preparation for codeql-cli-2.12.3

Merge pull request #12209 from github/release-prep/2.12.3
Release preparation for version 2.12.3
2026-05-24 08:07:07 +02:00 · 2023-02-21 14:56:08 +00:00 · 2023-02-16 13:25:19 +00:00 · 2023-02-16 12:07:47 +00:00 · 2023-02-16 11:49:06 +00:00 · 2023-02-16 08:12:02 +00:00
132 changed files with 781 additions and 204 deletions
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.5.3
+
+No user-facing changes.
+
 ## 0.5.2

 No user-facing changes.
--- a/cpp/ql/lib/change-notes/released/0.5.3.md
+++ b/cpp/ql/lib/change-notes/released/0.5.3.md
@@ -0,0 +1,3 @@
+## 0.5.3
+
+No user-facing changes.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.2
+lastReleaseVersion: 0.5.3
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.5.3-dev
+version: 0.5.4-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.5.3
+
+No user-facing changes.
+
 ## 0.5.2

 No user-facing changes.
--- a/cpp/ql/src/change-notes/released/0.5.3.md
+++ b/cpp/ql/src/change-notes/released/0.5.3.md
@@ -0,0 +1,3 @@
+## 0.5.3
+
+No user-facing changes.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.2
+lastReleaseVersion: 0.5.3
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.5.3-dev
+version: 0.5.4-dev
 groups: 
  - cpp
  - queries
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.4.3
+
+No user-facing changes.
+
 ## 1.4.2

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.4.3.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.4.3.md
@@ -0,0 +1,3 @@
+## 1.4.3
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.2
+lastReleaseVersion: 1.4.3
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.4.3-dev
+version: 1.4.4-dev
 groups:
    - csharp
    - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.4.3
+
+No user-facing changes.
+
 ## 1.4.2

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.4.3.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.4.3.md
@@ -0,0 +1,3 @@
+## 1.4.3
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.2
+lastReleaseVersion: 1.4.3
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.4.3-dev
+version: 1.4.4-dev
 groups:
    - csharp
    - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.5.3
+
+### Minor Analysis Improvements
+
+* C# 11: Added extractor support for the `scoped` modifier annotation on parameters and local variables.
+
 ## 0.5.2

 ### Major Analysis Improvements
--- a/csharp/ql/lib/change-notes/2023-02-07-scoped-modifier.md
+++ b/csharp/ql/lib/change-notes/2023-02-07-scoped-modifier.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* C# 11: Added extractor support for the `scoped` modifier annotation on parameters and local variables.
--- a/csharp/ql/lib/change-notes/released/0.5.3.md
+++ b/csharp/ql/lib/change-notes/released/0.5.3.md
@@ -0,0 +1,5 @@
+## 0.5.3
+
+### Minor Analysis Improvements
+
+* C# 11: Added extractor support for the `scoped` modifier annotation on parameters and local variables.
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.2
+lastReleaseVersion: 0.5.3
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.5.3-dev
+version: 0.5.4-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.5.3
+
+No user-facing changes.
+
 ## 0.5.2

 No user-facing changes.
--- a/csharp/ql/src/change-notes/released/0.5.3.md
+++ b/csharp/ql/src/change-notes/released/0.5.3.md
@@ -0,0 +1,3 @@
+## 0.5.3
+
+No user-facing changes.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.2
+lastReleaseVersion: 0.5.3
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.5.3-dev
+version: 0.5.4-dev
 groups: 
  - csharp
  - queries
--- a/docs/codeql/reusables/supported-versions-compilers.rst
+++ b/docs/codeql/reusables/supported-versions-compilers.rst
@@ -16,7 +16,7 @@
   .NET Core up to 3.1

   .NET 5, .NET 6","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
-   Go (aka Golang), "Go up to 1.19", "Go 1.11 or more recent", ``.go``
+   Go (aka Golang), "Go up to 1.20", "Go 1.11 or more recent", ``.go``
   Java,"Java 7 to 19 [4]_","javac (OpenJDK and Oracle JDK),

   Eclipse compiler for Java (ECJ) [5]_",``.java``
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -1,3 +1,13 @@
+## 0.4.3
+
+### New Features
+
+* Go 1.20 is now supported. The extractor now functions as expected when Go 1.20 is installed; the definition of `implementsComparable` has been updated according to Go 1.20's new, more-liberal rules; and taint flow models have been added for relevant, new standard-library functions.
+
+### Minor Analysis Improvements
+
+* Support for the Twirp framework has been added.
+
 ## 0.4.2

 No user-facing changes.
--- a/go/ql/lib/change-notes/2023-02-01--add-support-for-twirp-framework.md
+++ b/go/ql/lib/change-notes/2023-02-01--add-support-for-twirp-framework.md
@@ -1,2 +0,0 @@
-lgtm,codescanning
-* Support for the Twirp framework has been added.
--- a/go/ql/lib/change-notes/released/0.4.3.md
+++ b/go/ql/lib/change-notes/released/0.4.3.md
@@ -0,0 +1,9 @@
+## 0.4.3
+
+### New Features
+
+* Go 1.20 is now supported. The extractor now functions as expected when Go 1.20 is installed; the definition of `implementsComparable` has been updated according to Go 1.20's new, more-liberal rules; and taint flow models have been added for relevant, new standard-library functions.
+
+### Minor Analysis Improvements
+
+* Support for the Twirp framework has been added.
--- a/go/ql/lib/codeql-pack.release.yml
+++ b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3
--- a/go/ql/lib/qlpack.yml
+++ b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 0.4.3-dev
+version: 0.4.4-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go
--- a/go/ql/lib/semmle/go/Types.qll
+++ b/go/ql/lib/semmle/go/Types.qll
@@ -112,22 +112,10 @@ class Type extends @type {
      or
      u instanceof ArrayType and u.(ArrayType).getElementType().implementsComparable()
      or
-      exists(InterfaceType uif | uif = u |
-        not uif instanceof BasicInterfaceType and
-        if exists(uif.getAnEmbeddedTypeSetLiteral())
-        then
-          // All types in the intersection of all the embedded type set
-          // literals must implement comparable.
-          forall(Type intersectionType |
-            intersectionType = uif.getAnEmbeddedTypeSetLiteral().getATerm().getType() and
-            forall(TypeSetLiteralType tslit | tslit = uif.getAnEmbeddedTypeSetLiteral() |
-              intersectionType = tslit.getATerm().getType()
-            )
-          |
-            intersectionType.implementsComparable()
-          )
-        else uif.isOrEmbedsComparable()
-      )
+      // As of Go 1.20, any interface type satisfies the `comparable` constraint, even though comparison
+      // may panic at runtime depending on the actual object's concrete type.
+      // Look at git history here if you need the old definition.
+      u instanceof InterfaceType
    )
  }

--- a/go/ql/lib/semmle/go/frameworks/Stdlib.qll
+++ b/go/ql/lib/semmle/go/frameworks/Stdlib.qll
@@ -65,6 +65,7 @@ import semmle.go.frameworks.stdlib.Syscall
 import semmle.go.frameworks.stdlib.TextScanner
 import semmle.go.frameworks.stdlib.TextTabwriter
 import semmle.go.frameworks.stdlib.TextTemplate
+import semmle.go.frameworks.stdlib.Unsafe

 /** A `String()` method. */
 class StringMethod extends TaintTracking::FunctionModel, Method {
--- a/go/ql/lib/semmle/go/frameworks/stdlib/Bytes.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/Bytes.qll
@@ -11,6 +11,15 @@ module Bytes {
    FunctionOutput outp;

    FunctionModels() {
+      hasQualifiedName("bytes", "Clone") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      hasQualifiedName("bytes", "Cut") and
+      (inp.isParameter(0) and outp.isResult([0, 1]))
+      or
+      hasQualifiedName("bytes", ["CutPrefix", "CutSuffix"]) and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
      // signature: func Fields(s []byte) [][]byte
      hasQualifiedName("bytes", "Fields") and
      (inp.isParameter(0) and outp.isResult())
--- a/go/ql/lib/semmle/go/frameworks/stdlib/Errors.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/Errors.qll
@@ -22,6 +22,10 @@ module Errors {
      // signature: func Unwrap(err error) error
      hasQualifiedName("errors", "Unwrap") and
      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Join(errs ...error) error
+      hasQualifiedName("errors", "Join") and
+      (inp.isParameter(_) and outp.isResult())
    }

    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
--- a/go/ql/lib/semmle/go/frameworks/stdlib/Sync.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/Sync.qll
@@ -11,6 +11,9 @@ module Sync {
    FunctionOutput outp;

    MethodModels() {
+      hasQualifiedName("sync", "Map", "CompareAndSwap") and
+      (inp.isParameter(2) and outp.isReceiver())
+      or
      // signature: func (*Map) Load(key interface{}) (value interface{}, ok bool)
      hasQualifiedName("sync", "Map", "Load") and
      (inp.isReceiver() and outp.isResult(0))
@@ -28,6 +31,13 @@ module Sync {
      hasQualifiedName("sync", "Map", "Store") and
      (inp.isParameter(_) and outp.isReceiver())
      or
+      hasQualifiedName("sync", "Map", "Swap") and
+      (
+        inp.isReceiver() and outp.isResult(0)
+        or
+        inp.isParameter(_) and outp.isReceiver()
+      )
+      or
      // signature: func (*Pool) Get() interface{}
      hasQualifiedName("sync", "Pool", "Get") and
      (inp.isReceiver() and outp.isResult())
--- a/go/ql/lib/semmle/go/frameworks/stdlib/Unsafe.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/Unsafe.qll
@@ -0,0 +1,22 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `unsafe` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `unsafe` package. */
+module Unsafe {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      hasQualifiedName("unsafe", ["String", "StringData", "Slice", "SliceData"]) and
+      (inp.isParameter(0) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
--- a/go/ql/src/CHANGELOG.md
+++ b/go/ql/src/CHANGELOG.md
@@ -1,3 +1,13 @@
+## 0.4.3
+
+### New Queries
+
+* Added a new query, `go/unhandled-writable-file-close`, to detect instances where writable file handles are closed without appropriate checks for errors.
+
+### Query Metadata Changes
+
+* The precision of the `go/log-injection` query was decreased from `high` to `medium`, since it may not be able to identify every way in which log data may be sanitized. This also aligns it with the precision of comparable queries for other languages.
+
 ## 0.4.2

 No user-facing changes.
--- a/go/ql/src/change-notes/2023-02-06-unhandled-close-writable-handle.md
+++ b/go/ql/src/change-notes/2023-02-06-unhandled-close-writable-handle.md
@@ -1,4 +0,0 @@
---
-category: newQuery
---
-* Added a new query, `go/unhandled-writable-file-close`, to detect instances where writable file handles are closed without appropriate checks for errors.
--- a/go/ql/src/change-notes/2023-02-09-log-injection-precision.md
+++ b/go/ql/src/change-notes/2023-02-09-log-injection-precision.md
@@ -1,4 +1,9 @@
---
-category: queryMetadata
---
+## 0.4.3
+
+### New Queries
+
+* Added a new query, `go/unhandled-writable-file-close`, to detect instances where writable file handles are closed without appropriate checks for errors.
+
+### Query Metadata Changes
+
 * The precision of the `go/log-injection` query was decreased from `high` to `medium`, since it may not be able to identify every way in which log data may be sanitized. This also aligns it with the precision of comparable queries for other languages.
--- a/go/ql/src/codeql-pack.release.yml
+++ b/go/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3
--- a/go/ql/src/qlpack.yml
+++ b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 0.4.3-dev
+version: 0.4.4-dev
 groups:
  - go
  - queries
--- a/go/ql/test/library-tests/semmle/go/Types/QualifiedNames.expected
+++ b/go/ql/test/library-tests/semmle/go/Types/QualifiedNames.expected
@@ -51,31 +51,31 @@
 | interface.go:95:6:95:8 | i18 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.i18 |
 | interface.go:101:6:101:8 | i19 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.i19 |
 | interface.go:105:6:105:8 | i20 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.i20 |
-| interface.go:110:6:110:19 | testComparable | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable |
-| interface.go:111:6:111:20 | testComparable0 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable0 |
-| interface.go:112:6:112:20 | testComparable1 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable1 |
-| interface.go:113:6:113:20 | testComparable2 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable2 |
-| interface.go:114:6:114:20 | testComparable3 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable3 |
-| interface.go:115:6:115:20 | testComparable4 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable4 |
-| interface.go:116:6:116:20 | testComparable5 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable5 |
-| interface.go:117:6:117:20 | testComparable6 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable6 |
-| interface.go:118:6:118:20 | testComparable7 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable7 |
-| interface.go:119:6:119:20 | testComparable8 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable8 |
-| interface.go:120:6:120:20 | testComparable9 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable9 |
-| interface.go:121:6:121:21 | testComparable10 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable10 |
-| interface.go:122:6:122:21 | testComparable11 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable11 |
-| interface.go:123:6:123:21 | testComparable12 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable12 |
-| interface.go:124:6:124:21 | testComparable13 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable13 |
-| interface.go:125:6:125:21 | testComparable14 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable14 |
-| interface.go:126:6:126:21 | testComparable15 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable15 |
-| interface.go:127:6:127:21 | testComparable16 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable16 |
-| interface.go:128:6:128:21 | testComparable17 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable17 |
-| interface.go:129:6:129:21 | testComparable18 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable18 |
-| interface.go:130:6:130:21 | testComparable19 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable19 |
-| interface.go:131:6:131:21 | testComparable20 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable20 |
-| interface.go:132:6:132:21 | testComparable21 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable21 |
-| interface.go:133:6:133:21 | testComparable22 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable22 |
-| interface.go:134:6:134:21 | testComparable23 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable23 |
+| interface.go:114:6:114:19 | testComparable | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable |
+| interface.go:115:6:115:20 | testComparable0 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable0 |
+| interface.go:116:6:116:20 | testComparable1 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable1 |
+| interface.go:117:6:117:20 | testComparable2 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable2 |
+| interface.go:118:6:118:20 | testComparable3 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable3 |
+| interface.go:119:6:119:20 | testComparable4 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable4 |
+| interface.go:120:6:120:20 | testComparable5 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable5 |
+| interface.go:121:6:121:20 | testComparable6 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable6 |
+| interface.go:122:6:122:20 | testComparable7 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable7 |
+| interface.go:123:6:123:20 | testComparable8 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable8 |
+| interface.go:124:6:124:20 | testComparable9 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable9 |
+| interface.go:125:6:125:21 | testComparable10 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable10 |
+| interface.go:126:6:126:21 | testComparable11 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable11 |
+| interface.go:127:6:127:21 | testComparable12 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable12 |
+| interface.go:128:6:128:21 | testComparable13 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable13 |
+| interface.go:129:6:129:21 | testComparable14 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable14 |
+| interface.go:130:6:130:21 | testComparable15 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable15 |
+| interface.go:131:6:131:21 | testComparable16 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable16 |
+| interface.go:132:6:132:21 | testComparable17 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable17 |
+| interface.go:133:6:133:21 | testComparable18 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable18 |
+| interface.go:134:6:134:21 | testComparable19 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable19 |
+| interface.go:135:6:135:21 | testComparable20 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable20 |
+| interface.go:136:6:136:21 | testComparable21 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable21 |
+| interface.go:137:6:137:21 | testComparable22 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable22 |
+| interface.go:138:6:138:21 | testComparable23 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types.testComparable23 |
 | pkg1/embedding.go:8:6:8:9 | base | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types/pkg1.base |
 | pkg1/embedding.go:19:6:19:13 | embedder | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types/pkg1.embedder |
 | pkg1/embedding.go:22:6:22:16 | ptrembedder | github.com/github/codeql-go/ql/test/library-tests/semmle/go/Types/pkg1.ptrembedder |
--- a/go/ql/test/library-tests/semmle/go/Types/Types.expected
+++ b/go/ql/test/library-tests/semmle/go/Types/Types.expected
@@ -51,31 +51,31 @@
 | interface.go:95:6:95:8 | i18 | i18 |
 | interface.go:101:6:101:8 | i19 | i19 |
 | interface.go:105:6:105:8 | i20 | i20 |
-| interface.go:110:6:110:19 | testComparable | testComparable |
-| interface.go:111:6:111:20 | testComparable0 | testComparable0 |
-| interface.go:112:6:112:20 | testComparable1 | testComparable1 |
-| interface.go:113:6:113:20 | testComparable2 | testComparable2 |
-| interface.go:114:6:114:20 | testComparable3 | testComparable3 |
-| interface.go:115:6:115:20 | testComparable4 | testComparable4 |
-| interface.go:116:6:116:20 | testComparable5 | testComparable5 |
-| interface.go:117:6:117:20 | testComparable6 | testComparable6 |
-| interface.go:118:6:118:20 | testComparable7 | testComparable7 |
-| interface.go:119:6:119:20 | testComparable8 | testComparable8 |
-| interface.go:120:6:120:20 | testComparable9 | testComparable9 |
-| interface.go:121:6:121:21 | testComparable10 | testComparable10 |
-| interface.go:122:6:122:21 | testComparable11 | testComparable11 |
-| interface.go:123:6:123:21 | testComparable12 | testComparable12 |
-| interface.go:124:6:124:21 | testComparable13 | testComparable13 |
-| interface.go:125:6:125:21 | testComparable14 | testComparable14 |
-| interface.go:126:6:126:21 | testComparable15 | testComparable15 |
-| interface.go:127:6:127:21 | testComparable16 | testComparable16 |
-| interface.go:128:6:128:21 | testComparable17 | testComparable17 |
-| interface.go:129:6:129:21 | testComparable18 | testComparable18 |
-| interface.go:130:6:130:21 | testComparable19 | testComparable19 |
-| interface.go:131:6:131:21 | testComparable20 | testComparable20 |
-| interface.go:132:6:132:21 | testComparable21 | testComparable21 |
-| interface.go:133:6:133:21 | testComparable22 | testComparable22 |
-| interface.go:134:6:134:21 | testComparable23 | testComparable23 |
+| interface.go:114:6:114:19 | testComparable | testComparable |
+| interface.go:115:6:115:20 | testComparable0 | testComparable0 |
+| interface.go:116:6:116:20 | testComparable1 | testComparable1 |
+| interface.go:117:6:117:20 | testComparable2 | testComparable2 |
+| interface.go:118:6:118:20 | testComparable3 | testComparable3 |
+| interface.go:119:6:119:20 | testComparable4 | testComparable4 |
+| interface.go:120:6:120:20 | testComparable5 | testComparable5 |
+| interface.go:121:6:121:20 | testComparable6 | testComparable6 |
+| interface.go:122:6:122:20 | testComparable7 | testComparable7 |
+| interface.go:123:6:123:20 | testComparable8 | testComparable8 |
+| interface.go:124:6:124:20 | testComparable9 | testComparable9 |
+| interface.go:125:6:125:21 | testComparable10 | testComparable10 |
+| interface.go:126:6:126:21 | testComparable11 | testComparable11 |
+| interface.go:127:6:127:21 | testComparable12 | testComparable12 |
+| interface.go:128:6:128:21 | testComparable13 | testComparable13 |
+| interface.go:129:6:129:21 | testComparable14 | testComparable14 |
+| interface.go:130:6:130:21 | testComparable15 | testComparable15 |
+| interface.go:131:6:131:21 | testComparable16 | testComparable16 |
+| interface.go:132:6:132:21 | testComparable17 | testComparable17 |
+| interface.go:133:6:133:21 | testComparable18 | testComparable18 |
+| interface.go:134:6:134:21 | testComparable19 | testComparable19 |
+| interface.go:135:6:135:21 | testComparable20 | testComparable20 |
+| interface.go:136:6:136:21 | testComparable21 | testComparable21 |
+| interface.go:137:6:137:21 | testComparable22 | testComparable22 |
+| interface.go:138:6:138:21 | testComparable23 | testComparable23 |
 | pkg1/embedding.go:8:6:8:9 | base | base |
 | pkg1/embedding.go:19:6:19:13 | embedder | embedder |
 | pkg1/embedding.go:22:6:22:16 | ptrembedder | ptrembedder |
--- a/go/ql/test/library-tests/semmle/go/Types/interface.go
+++ b/go/ql/test/library-tests/semmle/go/Types/interface.go
@@ -107,28 +107,32 @@ type i20 interface {
 	StringB() string
 }

-type testComparable[T comparable] struct{}            // $ implementsComparable
-type testComparable0[T0 i0] struct{}                  // $ implementsComparable
-type testComparable1[T1 i1] struct{}                  // $ implementsComparable
-type testComparable2[T2 i2] struct{}                  // $ implementsComparable
-type testComparable3[T3 i3] struct{}                  // $ implementsComparable
-type testComparable4[T4 i4] struct{}                  // $ implementsComparable
-type testComparable5[T5 i5] struct{}                  // does not implement comparable
-type testComparable6[T6 i6] struct{}                  // does not implement comparable
-type testComparable7[T7 i7] struct{}                  // $ implementsComparable
-type testComparable8[T8 i8] struct{}                  // does not implement comparable
-type testComparable9[T9 i9] struct{}                  // does not implement comparable
-type testComparable10[T10 i10] struct{}               // $ implementsComparable
-type testComparable11[T11 i11] struct{}               // $ implementsComparable
-type testComparable12[T12 i12] struct{}               // does not implement comparable
-type testComparable13[T13 i13] struct{}               // does not implement comparable
-type testComparable14[T14 i14] struct{}               // $ implementsComparable
-type testComparable15[T15 i15] struct{}               // $ implementsComparable
-type testComparable16[T16 i16] struct{}               // does not implement comparable
-type testComparable17[T17 i17] struct{}               // does not implement comparable
-type testComparable18[T18 i18] struct{}               // $ implementsComparable
-type testComparable19[T19 i19] struct{}               // does not implement comparable
-type testComparable20[T20 i20] struct{}               // $ implementsComparable
-type testComparable21[T21 ~[]byte | string] struct{}  // does not implement comparable
-type testComparable22[T22 any] struct{}               // does not implement comparable
-type testComparable23[T23 ~[5]byte | string] struct{} // $ implementsComparable
+// These used to distinguish strictly-comparable interfaces (i.e. those which will not panic at runtime on attempting a comparison),
+// which were required to satisfy the `comparable` type constraint in Go <1.20. Now they all match `comparable` as all interfaces
+// are accepted. I mark those which are also strictly comparable for the future in case we want to expose that concept in QL.
+
+type testComparable[T comparable] struct{}            // $ implementsComparable isStrictlyComparable
+type testComparable0[T0 i0] struct{}                  // $ implementsComparable isStrictlyComparable
+type testComparable1[T1 i1] struct{}                  // $ implementsComparable isStrictlyComparable
+type testComparable2[T2 i2] struct{}                  // $ implementsComparable isStrictlyComparable
+type testComparable3[T3 i3] struct{}                  // $ implementsComparable isStrictlyComparable
+type testComparable4[T4 i4] struct{}                  // $ implementsComparable isStrictlyComparable
+type testComparable5[T5 i5] struct{}                  // $ implementsComparable
+type testComparable6[T6 i6] struct{}                  // $ implementsComparable
+type testComparable7[T7 i7] struct{}                  // $ implementsComparable isStrictlyComparable
+type testComparable8[T8 i8] struct{}                  // $ implementsComparable
+type testComparable9[T9 i9] struct{}                  // $ implementsComparable
+type testComparable10[T10 i10] struct{}               // $ implementsComparable isStrictlyComparable
+type testComparable11[T11 i11] struct{}               // $ implementsComparable isStrictlyComparable
+type testComparable12[T12 i12] struct{}               // $ implementsComparable
+type testComparable13[T13 i13] struct{}               // $ implementsComparable
+type testComparable14[T14 i14] struct{}               // $ implementsComparable isStrictlyComparable
+type testComparable15[T15 i15] struct{}               // $ implementsComparable isStrictlyComparable
+type testComparable16[T16 i16] struct{}               // $ implementsComparable
+type testComparable17[T17 i17] struct{}               // $ implementsComparable
+type testComparable18[T18 i18] struct{}               // $ implementsComparable isStrictlyComparable
+type testComparable19[T19 i19] struct{}               // $ implementsComparable
+type testComparable20[T20 i20] struct{}               // $ implementsComparable isStrictlyComparable
+type testComparable21[T21 ~[]byte | string] struct{}  // $ implementsComparable
+type testComparable22[T22 any] struct{}               // $ implementsComparable
+type testComparable23[T23 ~[5]byte | string] struct{} // $ implementsComparable isStrictlyComparable
--- a/go/ql/test/library-tests/semmle/go/dataflow/ArrayConversion/Flows.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ArrayConversion/Flows.expected
--- a/go/ql/test/library-tests/semmle/go/dataflow/ArrayConversion/Flows.ql
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ArrayConversion/Flows.ql
@@ -0,0 +1,58 @@
+import go
+import TestUtilities.InlineExpectationsTest
+
+class DataConfiguration extends DataFlow::Configuration {
+  DataConfiguration() { this = "data-configuration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source = any(DataFlow::CallNode c | c.getCalleeName() = "source").getResult(0)
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(DataFlow::CallNode c | c.getCalleeName() = "sink").getArgument(0)
+  }
+}
+
+class DataFlowTest extends InlineExpectationsTest {
+  DataFlowTest() { this = "DataFlowTest" }
+
+  override string getARelevantTag() { result = "dataflow" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "dataflow" and
+    exists(DataFlow::Node sink | any(DataConfiguration c).hasFlow(_, sink) |
+      element = sink.toString() and
+      value = "" and
+      sink.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn())
+    )
+  }
+}
+
+class TaintConfiguration extends TaintTracking::Configuration {
+  TaintConfiguration() { this = "taint-configuration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source = any(DataFlow::CallNode c | c.getCalleeName() = "source").getResult(0)
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(DataFlow::CallNode c | c.getCalleeName() = "sink").getArgument(0)
+  }
+}
+
+class TaintFlowTest extends InlineExpectationsTest {
+  TaintFlowTest() { this = "TaintFlowTest" }
+
+  override string getARelevantTag() { result = "taintflow" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "taintflow" and
+    exists(DataFlow::Node sink | any(TaintConfiguration c).hasFlow(_, sink) |
+      element = sink.toString() and
+      value = "" and
+      sink.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn())
+    )
+  }
+}
--- a/go/ql/test/library-tests/semmle/go/dataflow/ArrayConversion/main.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ArrayConversion/main.go
@@ -0,0 +1,25 @@
+package main
+
+func source() string {
+	return "untrusted data"
+}
+
+func sink(string) {
+}
+
+func sliceToArray(p []string) [1]string {
+	return [1]string(p)
+}
+
+func main() {
+	// Test the new slice->array conversion permitted in Go 1.20
+	var a [4]string
+	a[0] = source()
+	alias := sliceToArray(a[:])
+	sink(alias[0]) // $ taintflow
+
+	// Compare with the standard dataflow support for arrays
+	var b [4]string
+	b[0] = source()
+	sink(b[0]) // $ taintflow
+}
--- a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Bytes.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Bytes.go
@@ -316,6 +316,39 @@ func TaintStepTest_BytesReaderWriteTo_B0I0O0(sourceCQL interface{}) interface{}
 	return intoWriter197
 }

+func TaintStepTest_Clone(sourceCQL interface{}) interface{} {
+	fromReader628 := sourceCQL.([]byte)
+	return bytes.Clone(fromReader628)
+}
+
+func TaintStepTest_Cutleft(sourceCQL interface{}) interface{} {
+	fromReader628 := sourceCQL.([]byte)
+	sep := []byte{}
+	left, _, _ := bytes.Cut(fromReader628, sep)
+	return left
+}
+
+func TaintStepTest_Cutright(sourceCQL interface{}) interface{} {
+	fromReader628 := sourceCQL.([]byte)
+	sep := []byte{}
+	_, right, _ := bytes.Cut(fromReader628, sep)
+	return right
+}
+
+func TaintStepTest_CutPrefix(sourceCQL interface{}) interface{} {
+	fromReader628 := sourceCQL.([]byte)
+	sep := []byte{}
+	result, _ := bytes.CutPrefix(fromReader628, sep)
+	return result
+}
+
+func TaintStepTest_CutSuffix(sourceCQL interface{}) interface{} {
+	fromReader628 := sourceCQL.([]byte)
+	sep := []byte{}
+	result, _ := bytes.CutSuffix(fromReader628, sep)
+	return result
+}
+
 func RunAllTaints_Bytes() {
 	{
 		source := newSource(0)
@@ -567,4 +600,29 @@ func RunAllTaints_Bytes() {
 		out := TaintStepTest_BytesReaderWriteTo_B0I0O0(source)
 		sink(49, out)
 	}
+	{
+		source := newSource(50)
+		out := TaintStepTest_Cutleft(source)
+		sink(50, out)
+	}
+	{
+		source := newSource(51)
+		out := TaintStepTest_Cutright(source)
+		sink(51, out)
+	}
+	{
+		source := newSource(52)
+		out := TaintStepTest_CutPrefix(source)
+		sink(52, out)
+	}
+	{
+		source := newSource(53)
+		out := TaintStepTest_CutSuffix(source)
+		sink(53, out)
+	}
+	{
+		source := newSource(54)
+		out := TaintStepTest_Clone(source)
+		sink(54, out)
+	}
 }
--- a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Errors.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Errors.go
@@ -23,6 +23,18 @@ func TaintStepTest_ErrorsUnwrap_B0I0O0(sourceCQL interface{}) interface{} {
 	return intoError957
 }

+func TaintStepTest_ErrorsJoin1(sourceCQL interface{}) interface{} {
+	fromError784 := sourceCQL.(error)
+	intoError957 := errors.Join(fromError784, errors.New(""))
+	return intoError957
+}
+
+func TaintStepTest_ErrorsJoin2(sourceCQL interface{}) interface{} {
+	fromError784 := sourceCQL.(error)
+	intoError957 := errors.Join(errors.New(""), fromError784)
+	return intoError957
+}
+
 func RunAllTaints_Errors() {
 	{
 		source := newSource(0)
@@ -39,4 +51,14 @@ func RunAllTaints_Errors() {
 		out := TaintStepTest_ErrorsUnwrap_B0I0O0(source)
 		sink(2, out)
 	}
+	{
+		source := newSource(3)
+		out := TaintStepTest_ErrorsJoin1(source)
+		sink(3, out)
+	}
+	{
+		source := newSource(4)
+		out := TaintStepTest_ErrorsJoin2(source)
+		sink(4, out)
+	}
 }
--- a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Sync.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Sync.go
@@ -58,6 +58,30 @@ func TaintStepTest_SyncMapStore_B0I1O0(sourceCQL interface{}) interface{} {
 	return intoMap881
 }

+func TaintStepTest_SyncMapSwapinkey(sourceCQL interface{}) interface{} {
+	var m sync.Map
+	m.Swap(sourceCQL, "value")
+	return m
+}
+
+func TaintStepTest_SyncMapSwapinvalue(sourceCQL interface{}) interface{} {
+	var m sync.Map
+	m.Swap("key", sourceCQL)
+	return m
+}
+
+func TaintStepTest_SyncMapSwapout(sourceCQL interface{}) interface{} {
+	m := sourceCQL.(sync.Map)
+	oldVal, _ := m.Swap("key", "value")
+	return oldVal
+}
+
+func TaintStepTest_SyncMapCompareAndSwap(sourceCQL interface{}) interface{} {
+	var m sync.Map
+	m.CompareAndSwap("key", "compareTo", sourceCQL)
+	return m
+}
+
 func TaintStepTest_SyncPoolGet_B0I0O0(sourceCQL interface{}) interface{} {
 	fromPool186 := sourceCQL.(sync.Pool)
 	intoInterface284 := fromPool186.Get()
@@ -122,4 +146,24 @@ func RunAllTaints_Sync() {
 		out := TaintStepTest_SyncPoolPut_B0I0O0(source)
 		sink(9, out)
 	}
+	{
+		source := newSource(10)
+		out := TaintStepTest_SyncMapSwapinkey(source)
+		sink(10, out)
+	}
+	{
+		source := newSource(11)
+		out := TaintStepTest_SyncMapSwapinvalue(source)
+		sink(11, out)
+	}
+	{
+		source := newSource(12)
+		out := TaintStepTest_SyncMapSwapout(source)
+		sink(12, out)
+	}
+	{
+		source := newSource(13)
+		out := TaintStepTest_SyncMapCompareAndSwap(source)
+		sink(13, out)
+	}
 }
--- a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Unsafe.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Unsafe.go
@@ -0,0 +1,46 @@
+package main
+
+import "unsafe"
+
+func TaintStepTest_UnsafeSlice(sourceCQL interface{}) interface{} {
+	s := sourceCQL.(*byte)
+	return unsafe.Slice(s, 1)
+}
+
+func TaintStepTest_UnsafeSliceData(sourceCQL interface{}) interface{} {
+	s := sourceCQL.([]byte)
+	return unsafe.SliceData(s)
+}
+
+func TaintStepTest_UnsafeString(sourceCQL interface{}) interface{} {
+	s := sourceCQL.(*byte)
+	return unsafe.String(s, 1)
+}
+
+func TaintStepTest_UnsafeStringData(sourceCQL interface{}) interface{} {
+	s := sourceCQL.(string)
+	return unsafe.StringData(s)
+}
+
+func RunAllTaints_Unsafe() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_UnsafeSlice(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_UnsafeSliceData(source)
+		sink(1, out)
+	}
+	{
+		source := newSource(2)
+		out := TaintStepTest_UnsafeString(source)
+		sink(2, out)
+	}
+	{
+		source := newSource(3)
+		out := TaintStepTest_UnsafeStringData(source)
+		sink(3, out)
+	}
+}
--- a/java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt
+++ b/java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt
@@ -1,6 +1,5 @@
 package com.github.codeql

-
 import com.github.codeql.comments.CommentExtractor
 import com.github.codeql.utils.*
 import com.github.codeql.utils.versions.*
--- a/java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt
+++ b/java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt
@@ -1,6 +1,5 @@
 package com.github.codeql

-
 import com.github.codeql.utils.*
 import com.github.codeql.utils.versions.codeQlWithHasQuestionMark
 import com.github.codeql.utils.versions.getKotlinType
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,15 @@
+## 0.5.3
+
+### New Features
+
+* Kotlin versions up to 1.8.20 are now supported.
+
+### Minor Analysis Improvements
+
+* Removed the first argument of `java.nio.file.Files#createTempDirectory(String,FileAttribute[])` as a "create-file" sink.
+* Added the first argument of `java.nio.file.Files#copy` as a "read-file" sink for the `java/path-injection` query.
+* The data flow library now disregards flow through code that is dead based on some basic constant propagation, for example, guards like `if (1+1>3)`.
+
 ## 0.5.2

 ### Minor Analysis Improvements
--- a/java/ql/lib/change-notes/2023-02-06-dataflow-deadcode.md
+++ b/java/ql/lib/change-notes/2023-02-06-dataflow-deadcode.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The data flow library now disregards flow through code that is dead based on some basic constant propagation, for example, guards like `if (1+1>3)`.
--- a/java/ql/lib/change-notes/2023-02-08-kotlin-1.8.20.md
+++ b/java/ql/lib/change-notes/2023-02-08-kotlin-1.8.20.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* Kotlin versions up to 1.8.20 are now supported.
--- a/java/ql/lib/change-notes/2023-02-13-update-create-file-sinks.md
+++ b/java/ql/lib/change-notes/2023-02-13-update-create-file-sinks.md
@@ -1,5 +0,0 @@
---
-category: minorAnalysis
---
-* Removed the first argument of `java.nio.file.Files#createTempDirectory(String,FileAttribute[])` as a "create-file" sink.
-* Added the first argument of `java.nio.file.Files#copy` as a "read-file" sink for the `java/path-injection` query.
--- a/java/ql/lib/change-notes/released/0.5.3.md
+++ b/java/ql/lib/change-notes/released/0.5.3.md
@@ -0,0 +1,11 @@
+## 0.5.3
+
+### New Features
+
+* Kotlin versions up to 1.8.20 are now supported.
+
+### Minor Analysis Improvements
+
+* Removed the first argument of `java.nio.file.Files#createTempDirectory(String,FileAttribute[])` as a "create-file" sink.
+* Added the first argument of `java.nio.file.Files#copy` as a "read-file" sink for the `java/path-injection` query.
+* The data flow library now disregards flow through code that is dead based on some basic constant propagation, for example, guards like `if (1+1>3)`.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.2
+lastReleaseVersion: 0.5.3
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 0.5.3-dev
+version: 0.5.4-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/lib/semmle/code/java/Type.qll
+++ b/java/ql/lib/semmle/code/java/Type.qll
@@ -1,6 +1,6 @@
 /**
 * Provides classes and predicates for working with Java types.
- * 
+ *
 * Types can be primitive types (`PrimitiveType`), array types (`Array`), or reference
 * types (`RefType`), where the latter are either classes (`Class`) or interfaces
 * (`Interface`).
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,13 @@
+## 0.5.3
+
+### New Queries
+
+* Added a new query, `java/xxe-local`, which is a version of the XXE query that uses local sources (for example, reads from a local file).
+
+### Minor Analysis Improvements
+
+* The `java/index-out-of-bounds` query has improved its handling of arrays of constant length, and may report additional results in those cases.
+
 ## 0.5.2

 ### New Queries
--- a/java/ql/src/change-notes/2023-02-06-index-out-of-bounds-constant.md
+++ b/java/ql/src/change-notes/2023-02-06-index-out-of-bounds-constant.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `java/index-out-of-bounds` query has improved its handling of arrays of constant length, and may report additional results in those cases.
--- a/java/ql/src/change-notes/2023-02-09-xxe-local.md
+++ b/java/ql/src/change-notes/2023-02-09-xxe-local.md
@@ -1,4 +0,0 @@
---
-category: newQuery
---
-* Added a new query, `java/xxe-local`, which is a version of the XXE query that uses local sources (for example, reads from a local file).
--- a/java/ql/src/change-notes/released/0.5.3.md
+++ b/java/ql/src/change-notes/released/0.5.3.md
@@ -0,0 +1,9 @@
+## 0.5.3
+
+### New Queries
+
+* Added a new query, `java/xxe-local`, which is a version of the XXE query that uses local sources (for example, reads from a local file).
+
+### Minor Analysis Improvements
+
+* The `java/index-out-of-bounds` query has improved its handling of arrays of constant length, and may report additional results in those cases.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.2
+lastReleaseVersion: 0.5.3
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 0.5.3-dev
+version: 0.5.4-dev
 groups: 
  - java
  - queries
--- a/javascript/ql/lib/CHANGELOG.md
+++ b/javascript/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* Added dataflow sources for the [express-ws](https://www.npmjs.com/package/express-ws) library. 
+
 ## 0.4.2

 ### Minor Analysis Improvements
--- a/javascript/ql/lib/change-notes/2023-02-12-express-ws.md
+++ b/javascript/ql/lib/change-notes/2023-02-12-express-ws.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added dataflow sources for the [express-ws](https://www.npmjs.com/package/express-ws) library. 
--- a/javascript/ql/lib/change-notes/released/0.4.3.md
+++ b/javascript/ql/lib/change-notes/released/0.4.3.md
@@ -0,0 +1,5 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* Added dataflow sources for the [express-ws](https://www.npmjs.com/package/express-ws) library. 
--- a/javascript/ql/lib/codeql-pack.release.yml
+++ b/javascript/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 0.4.3-dev
+version: 0.4.4-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
--- a/javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll
@@ -81,7 +81,14 @@ module Cryptography {
   * data of arbitrary length using a block encryption algorithm.
   */
  class BlockMode extends string {
-    BlockMode() { this = ["ECB", "CBC", "GCM", "CCM", "CFB", "OFB", "CTR", "OPENPGP"] }
+    BlockMode() {
+      this =
+        [
+          "ECB", "CBC", "GCM", "CCM", "CFB", "OFB", "CTR", "OPENPGP",
+          "XTS", // https://csrc.nist.gov/publications/detail/sp/800-38e/final
+          "EAX" // https://en.wikipedia.org/wiki/EAX_mode
+        ]
+    }

    /** Holds if this block mode is considered to be insecure. */
    predicate isWeak() { this = "ECB" }
--- a/javascript/ql/lib/semmle/javascript/security/internal/CryptoAlgorithmNames.qll
+++ b/javascript/ql/lib/semmle/javascript/security/internal/CryptoAlgorithmNames.qll
@@ -14,8 +14,20 @@
 predicate isStrongHashingAlgorithm(string name) {
  name =
    [
+      // see https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#blake2
+      // and https://www.blake2.net/
+      "BLAKE2", "BLAKE2B", "BLAKE2S",
+      // see https://github.com/BLAKE3-team/BLAKE3
+      "BLAKE3",
+      //
      "DSA", "ED25519", "ES256", "ECDSA256", "ES384", "ECDSA384", "ES512", "ECDSA512", "SHA2",
-      "SHA224", "SHA256", "SHA384", "SHA512", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512"
+      "SHA224", "SHA256", "SHA384", "SHA512", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512",
+      // see https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#cryptography.hazmat.primitives.hashes.SHAKE128
+      "SHAKE128", "SHAKE256",
+      // see https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sm3
+      "SM3",
+      // see https://security.stackexchange.com/a/216297
+      "WHIRLPOOL",
    ]
 }

--- a/javascript/ql/src/CHANGELOG.md
+++ b/javascript/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.5.3
+
+No user-facing changes.
+
 ## 0.5.2

 No user-facing changes.
--- a/javascript/ql/src/change-notes/released/0.5.3.md
+++ b/javascript/ql/src/change-notes/released/0.5.3.md
@@ -0,0 +1,3 @@
+## 0.5.3
+
+No user-facing changes.
--- a/javascript/ql/src/codeql-pack.release.yml
+++ b/javascript/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.2
+lastReleaseVersion: 0.5.3
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 0.5.3-dev
+version: 0.5.4-dev
 groups: 
  - javascript
  - queries
--- a/misc/suite-helpers/CHANGELOG.md
+++ b/misc/suite-helpers/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.4.3
+
+No user-facing changes.
+
 ## 0.4.2

 No user-facing changes.
--- a/misc/suite-helpers/change-notes/released/0.4.3.md
+++ b/misc/suite-helpers/change-notes/released/0.4.3.md
@@ -0,0 +1,3 @@
+## 0.4.3
+
+No user-facing changes.
--- a/misc/suite-helpers/codeql-pack.release.yml
+++ b/misc/suite-helpers/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3
--- a/misc/suite-helpers/qlpack.yml
+++ b/misc/suite-helpers/qlpack.yml
@@ -1,3 +1,3 @@
 name: codeql/suite-helpers
-version: 0.4.3-dev
+version: 0.4.4-dev
 groups: shared
--- a/python/ql/lib/CHANGELOG.md
+++ b/python/ql/lib/CHANGELOG.md
@@ -1,3 +1,16 @@
+## 0.8.0
+
+### Breaking Changes
+
+- Python 2 is no longer supported for extracting databases using the CodeQL CLI. As a consequence,
+  the previously deprecated support for `pyxl` and `spitfire` templates has also been removed. When
+  extracting Python 2 code, having Python 2 installed is still recommended, as this ensures the
+  correct version of the Python standard library is extracted.
+
+### Minor Analysis Improvements
+
+* Fixed module resolution so we properly recognize that in `from <pkg> import *`, where `<pkg>` is a package, the actual imports are made from the `<pkg>/__init__.py` file.
+
 ## 0.7.2

 No user-facing changes.
--- a/python/ql/lib/change-notes/2023-02-14-python-2-no-longer-supported.md
+++ b/python/ql/lib/change-notes/2023-02-14-python-2-no-longer-supported.md
@@ -1,7 +1,12 @@
---
-category: breaking
---
+## 0.8.0
+
+### Breaking Changes
+
 - Python 2 is no longer supported for extracting databases using the CodeQL CLI. As a consequence,
  the previously deprecated support for `pyxl` and `spitfire` templates has also been removed. When
  extracting Python 2 code, having Python 2 installed is still recommended, as this ensures the
  correct version of the Python standard library is extracted.
+
+### Minor Analysis Improvements
+
+* Fixed module resolution so we properly recognize that in `from <pkg> import *`, where `<pkg>` is a package, the actual imports are made from the `<pkg>/__init__.py` file.
--- a/python/ql/lib/codeql-pack.release.yml
+++ b/python/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.2
+lastReleaseVersion: 0.8.0
--- a/python/ql/lib/qlpack.yml
+++ b/python/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 0.7.3-dev
+version: 0.8.1-dev
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python
--- a/python/ql/lib/semmle/python/concepts/internal/CryptoAlgorithmNames.qll
+++ b/python/ql/lib/semmle/python/concepts/internal/CryptoAlgorithmNames.qll
@@ -14,8 +14,20 @@
 predicate isStrongHashingAlgorithm(string name) {
  name =
    [
+      // see https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#blake2
+      // and https://www.blake2.net/
+      "BLAKE2", "BLAKE2B", "BLAKE2S",
+      // see https://github.com/BLAKE3-team/BLAKE3
+      "BLAKE3",
+      //
      "DSA", "ED25519", "ES256", "ECDSA256", "ES384", "ECDSA384", "ES512", "ECDSA512", "SHA2",
-      "SHA224", "SHA256", "SHA384", "SHA512", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512"
+      "SHA224", "SHA256", "SHA384", "SHA512", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512",
+      // see https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#cryptography.hazmat.primitives.hashes.SHAKE128
+      "SHAKE128", "SHAKE256",
+      // see https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sm3
+      "SM3",
+      // see https://security.stackexchange.com/a/216297
+      "WHIRLPOOL",
    ]
 }

--- a/python/ql/lib/semmle/python/dataflow/new/internal/ImportResolution.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/ImportResolution.qll
@@ -167,8 +167,22 @@ module ImportResolution {
    )
  }

+  /**
+   * Gets the (most likely) module for the name `name`, if any.
+   *
+   * Handles the fact that for the name `<pkg>` representing a package the actual module
+   * is `<pkg>.__init__`.
+   *
+   * See `isPreferredModuleForName` for more details on what "most likely" module means.
+   */
+  pragma[inline]
+  private Module getModuleFromName(string name) {
+    isPreferredModuleForName(result.getFile(), name + ["", ".__init__"])
+  }
+
+  /** Gets the module from which attributes are imported by `i`. */
  Module getModuleImportedByImportStar(ImportStar i) {
-    isPreferredModuleForName(result.getFile(), i.getImportedModuleName())
+    result = getModuleFromName(i.getImportedModuleName())
  }

  /**
@@ -223,7 +237,7 @@ module ImportResolution {
    exists(string module_name | result = getReferenceToModuleName(module_name) |
      // Depending on whether the referenced module is a package or not, we may need to add a
      // trailing `.__init__` to the module name.
-      isPreferredModuleForName(m.getFile(), module_name + ["", ".__init__"])
+      m = getModuleFromName(module_name)
      or
      // Module defined via `sys.modules`
      m = sys_modules_module_with_name(module_name)
@@ -234,7 +248,7 @@ module ImportResolution {
      ar.accesses(getModuleReference(p), attr_name) and
      result = ar
    |
-      isPreferredModuleForName(m.getFile(), p.getPackageName() + "." + attr_name + ["", ".__init__"])
+      m = getModuleFromName(p.getPackageName() + "." + attr_name)
    )
    or
    // This is also true for attributes that come from reexports.
@@ -248,8 +262,7 @@ module ImportResolution {
    exists(string submodule, Module package |
      SsaSource::init_module_submodule_defn(result.asVar().getSourceVariable(),
        package.getEntryNode()) and
-      isPreferredModuleForName(m.getFile(),
-        package.getPackageName() + "." + submodule + ["", ".__init__"])
+      m = getModuleFromName(package.getPackageName() + "." + submodule)
    )
  }

--- a/python/ql/lib/semmle/python/internal/ConceptsShared.qll
+++ b/python/ql/lib/semmle/python/internal/ConceptsShared.qll
@@ -81,7 +81,14 @@ module Cryptography {
   * data of arbitrary length using a block encryption algorithm.
   */
  class BlockMode extends string {
-    BlockMode() { this = ["ECB", "CBC", "GCM", "CCM", "CFB", "OFB", "CTR", "OPENPGP"] }
+    BlockMode() {
+      this =
+        [
+          "ECB", "CBC", "GCM", "CCM", "CFB", "OFB", "CTR", "OPENPGP",
+          "XTS", // https://csrc.nist.gov/publications/detail/sp/800-38e/final
+          "EAX" // https://en.wikipedia.org/wiki/EAX_mode
+        ]
+    }

    /** Holds if this block mode is considered to be insecure. */
    predicate isWeak() { this = "ECB" }
--- a/python/ql/src/CHANGELOG.md
+++ b/python/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.6.3
+
+No user-facing changes.
+
 ## 0.6.2

 No user-facing changes.
--- a/python/ql/src/change-notes/released/0.6.3.md
+++ b/python/ql/src/change-notes/released/0.6.3.md
@@ -0,0 +1,3 @@
+## 0.6.3
+
+No user-facing changes.
--- a/python/ql/src/codeql-pack.release.yml
+++ b/python/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.2
+lastReleaseVersion: 0.6.3
--- a/python/ql/src/qlpack.yml
+++ b/python/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 0.6.3-dev
+version: 0.6.4-dev
 groups: 
  - python
  - queries
--- a/python/ql/test/experimental/import-resolution/main.py
+++ b/python/ql/test/experimental/import-resolution/main.py
@@ -84,6 +84,12 @@ from attr_clash import clashing_attr, non_clashing_submodule #$ imports=attr_cla
 check("clashing_attr", clashing_attr, "clashing_attr", globals()) #$ prints=clashing_attr SPURIOUS: prints="<module attr_clash.clashing_attr>"
 check("non_clashing_submodule", non_clashing_submodule, "<module attr_clash.non_clashing_submodule>", globals()) #$ prints="<module attr_clash.non_clashing_submodule>"

+
+# check that import * from an __init__ file works
+from package.subpackage2 import *
+check("subpackage2_attr", subpackage2_attr, "subpackage2_attr", globals()) #$ prints=subpackage2_attr
+
+
 exit(__file__)

 print()
@@ -91,4 +97,4 @@ print()
 if status() == 0:
    print("PASS")
 else:
-    print("FAIL")
+    sys.exit("FAIL")
--- a/python/ql/test/experimental/import-resolution/package/subpackage2/init.py
+++ b/python/ql/test/experimental/import-resolution/package/subpackage2/init.py
@@ -0,0 +1,6 @@
+from trace import *
+enter(__file__)
+
+subpackage2_attr = "subpackage2_attr"
+
+exit(__file__)
--- a/ruby/ql/lib/CHANGELOG.md
+++ b/ruby/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.5.3
+
+### Minor Analysis Improvements
+
+ * Ruby 3.1: one-line pattern matches are now supported. The AST nodes are named `TestPattern` (`expr in pattern`) and `MatchPattern` (`expr => pattern`).
+
 ## 0.5.2

 ### Minor Analysis Improvements
--- a/ruby/ql/lib/change-notes/2023-02-06-one-line-matches.md
+++ b/ruby/ql/lib/change-notes/2023-02-06-one-line-matches.md
@@ -1,4 +1,5 @@
---
- category: minorAnalysis
---
+## 0.5.3
+
+### Minor Analysis Improvements
+
 * Ruby 3.1: one-line pattern matches are now supported. The AST nodes are named `TestPattern` (`expr in pattern`) and `MatchPattern` (`expr => pattern`).
--- a/ruby/ql/lib/codeql-pack.release.yml
+++ b/ruby/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.2
+lastReleaseVersion: 0.5.3
--- a/ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll
+++ b/ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll
@@ -81,7 +81,14 @@ module Cryptography {
   * data of arbitrary length using a block encryption algorithm.
   */
  class BlockMode extends string {
-    BlockMode() { this = ["ECB", "CBC", "GCM", "CCM", "CFB", "OFB", "CTR", "OPENPGP"] }
+    BlockMode() {
+      this =
+        [
+          "ECB", "CBC", "GCM", "CCM", "CFB", "OFB", "CTR", "OPENPGP",
+          "XTS", // https://csrc.nist.gov/publications/detail/sp/800-38e/final
+          "EAX" // https://en.wikipedia.org/wiki/EAX_mode
+        ]
+    }

    /** Holds if this block mode is considered to be insecure. */
    predicate isWeak() { this = "ECB" }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
github-actions[bot]	5db91d084c	Post-release preparation for codeql-cli-2.12.3	2023-02-21 14:56:08 +00:00
Nick Rolfe	44dc5a1f0b	Merge pull request #12209 from github/release-prep/2.12.3 Release preparation for version 2.12.3	2023-02-16 13:25:19 +00:00
Nick Rolfe	b4d59ff932	Go: changenote grammar tweaks	2023-02-16 12:07:47 +00:00
github-actions[bot]	b0315119c6	Release preparation for version 2.12.3	2023-02-16 11:49:06 +00:00
Chris Smowton	180246b99c	Merge pull request #12197 from smowton/smowton/admin/go-120-features Go: complete Go 1.20 support	2023-02-16 08:12:02 +00:00
Owen Mansel-Chan	45c1537f06	Merge pull request #12198 from github/smowton/admin/update-change-note Update Twirp change note to new style	2023-02-15 21:54:48 +00:00
Rasmus Wriedt Larsen	ee5382d8a6	Merge pull request #12193 from RasmusWL/import-resolution-fixup Python: Fix `from <pkg> import *` import resolution	2023-02-15 20:13:24 +01:00
Chris Smowton	3ce7fafb67	Fix unsafe test routine name	2023-02-15 19:05:01 +00:00
Chris Smowton	14655e1d8c	Autoformat go	2023-02-15 18:41:14 +00:00
Chris Smowton	261a1348f0	Update Twirp change note to new style	2023-02-15 18:37:50 +00:00
Chris Smowton	c65fd69374	Add change note	2023-02-15 18:35:17 +00:00
Chris Smowton	233bd8ce8c	Claim Go 1.20 support	2023-02-15 18:31:28 +00:00
Chris Smowton	7e7850374e	Implement standard library models for Go 1.20	2023-02-15 18:29:49 +00:00
Chris Smowton	7d2b78b463	Note that all interface types are considered comparable as of Go 1.20	2023-02-15 17:15:00 +00:00
Rasmus Wriedt Larsen	c72dbc49fc	Merge pull request #12165 from RasmusWL/crypto-updates Python/Ruby/JS Crypto: Add a few algorithms + block modes	2023-02-15 14:35:40 +01:00
Rasmus Wriedt Larsen	7e16fa9cbe	Python: Add change-note	2023-02-15 14:25:33 +01:00
Rasmus Wriedt Larsen	220f227707	Python: Add wrapper for `isPreferredModuleForName` We talked about how it's annoying that we in 4 places have the same fix `isPreferredModuleForName(<module>.getFile(), <name> + ["", ".__init__"])` , and that it would be nice to have a simple wrapper predicate that ensures we never forget to do the `+ ["", ".__init__"]` dance... I had trouble coming up with a name for this (ironically), but I think `getModuleFromName` is good enough.	2023-02-15 14:23:39 +01:00
Rasmus Wriedt Larsen	66c3529465	Python: Fix import * from `__init__.py` files	2023-02-15 14:10:37 +01:00
Rasmus Wriedt Larsen	df6039d6cf	Python: Add import resolution regression	2023-02-15 13:50:27 +01:00
Rasmus Wriedt Larsen	e1ae3c3cfb	Python: sys.exit if import resolution tests fail	2023-02-15 13:44:45 +01:00
Chris Smowton	368ca6cb30	Add test exercising Go 1.20 array conversions	2023-02-15 12:31:09 +00:00
Rasmus Wriedt Larsen	39e50f745d	Ruby: Fix `.expected` for CryptoAlgorithms	2023-02-13 14:21:12 +01:00
Rasmus Wriedt Larsen	5235964b07	sync files	2023-02-13 10:44:12 +01:00
Rasmus Wriedt Larsen	b2e79e2948	Python/Ruby/JS Crypto: Add a few algorithms + block modes I have tried to add a few links to support the claim that these algorithms are strong/safe. It wasn't always super easy, so in some cases I have ended up just linking to the documentation of the `cryptography` Python package. Co-authored-by: REDMOND\brodes <brodes@microsoft.com>	2023-02-13 10:40:47 +01:00